[ISN] Executives Advised to Take Role in Internet Security

From: InfoSec News (isnat_private)
Date: Wed Jul 24 2002 - 03:46:06 PDT

  • Next message: InfoSec News: "[ISN] Q&A: Homeland security CIO Steven Cooper"

    http://www.washingtonpost.com/wp-dyn/articles/A53172-2002Jul23.html
    
    By Ellen McCarthy
    Washington Post Staff Writer
    Wednesday, July 24, 2002; Page E05 
    
    Internet security issues need to be addressed in boardrooms and
    executive suites, not just data centers and network storage closets.  
    That's the message one industry organization is trying to convey by
    targeting the upper echelon of management with a guide on how to ward
    off potential threats.
    
    The guide, to be released today by the Internet Security Alliance,
    recommends that executives adopt 10 key practices in order to protect
    their organizations' vulnerable networks and content.
    
    The Arlington-based alliance is the joint effort of Carnegie Mellon
    University's Software Engineering Institute, the institute's CERT
    Coordination Center and the Electronics Industries Alliance.
    
    "We've been dealing over the years with a lot of security incidents,
    and typically we get the reports from the technical people, not the
    executives. Often they feel they are not getting the support that they
    need from the management," said Richard D. Pethia, director of CERT,
    formerly known as the Computer Emergency Response Team.
    
    "There has been an attitude across government and management that this
    is a technical issue and technicians should be able to deal with it."
    
    The guide, which will be available on the alliance's Web site
    (www.isalliance.org), suggests that senior managers identify the
    security risks within their organizations, create specific policies to
    address the problems, provide necessary funding to implement and
    maintain security measures, and make users accountable for their
    actions. Other recommendations include the use of system-monitoring
    tools, development of emergency recovery plans and the regulation of
    access to key physical assets.
    
    The guidelines are based on a study of current security practices used
    by the alliance's members and CERT research on management policy
    issues. The founders say they hope the guide will serve as an outline
    of crucial steps for all organizations, regardless of size or
    industry, Pethia said.
    
    Last week, the Center for Internet Security released a set of security
    standards and software that draws from the expertise of several
    government agencies, including the Pentagon and the National Security
    Agency.
    
    Pethia said that as executives realize how much financial risk is
    associated with potential security breaches, they have become more
    interested in ways to prevent them.
    
    "The awareness is really growing and has grown. Senior management is
    now paying attention, but we need to help them move beyond awareness
    and into understanding," Pethia said.
    
    "The pain level [from network attacks] is going up. We haven't had the
    big Pearl Harbor, but we have incidents every day. Right now we're
    suffering death by a million paper cuts."
    
    
    
    -
    ISN is currently hosted by Attrition.org
    
    To unsubscribe email majordomoat_private with 'unsubscribe isn'
    in the BODY of the mail.
    



    This archive was generated by hypermail 2b30 : Wed Jul 24 2002 - 06:41:01 PDT